Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Pegasus hacking tool used to spy on journalists and activists

Human rights activists and journalists have been the subject of hacking attempts using NSO Group's Pegasus spyware, an investigation claims, with approximately 37 smartphones successfully hacked using the surveillance tool.

NSO Group is known for producing hacking tools, which are used by governments and law enforcement agencies around the world. The company's best-known tool is "Pegasus," spyware that can jailbreak a device like an iPhone, install malware, and allow the exporting of user data.

In an investigation by a group of 17 media organizations, it seems Pegasus is being used to attack critics of governments, rather than just against criminals. A leak, reported by The Guardian, includes a list of more than 50,000 phone numbers thought to have been people of interest for clients of NSO Group since 2016.

However, more than 180 numbers associated with journalists were included in the list, including reporters and executives at major outlets, including the Financial Times, CNN, and the New York Times.

If infected, Pegasus enabled a user to extract practically any data they wanted from the device, as well as to enable cameras and microphones in secret, read encrypted messages, and record phone calls. It was also possible for GPS coordinates to be acquired, allowing for live tracking and logging of where the target had been.

While the list of numbers uncovered by journalism non-profit Hidden Stories and Amnesty International does not guarantee that the devices in question were attacked with the software, it seems a high proportion may have undergone some form of surveillance.

Amnesty's Security Lab discovered traces of Pegasus activity on 37 out of 67 smartphones it examined that were linked to the list. The smartphones were sourced from journalists, human rights activists, and lawyers who appeared on the list.

In some cases, it was found that the time and date the person was added to the list was very close to any recorded activity on the device, sometimes within seconds.

A group of 10 governments are believed to be NSO clients adding numbers into the system, with the list including Azerbaijan, Kazakhstan, Rwanda, and the UAE, among others. Mexico is thought to have contributed the most numbers to the list at over 15,000 lines, with its use by multiple agencies the most likely reason for the high count.

The leaked data also suggests Pegasus was used by Saudi Arabia and the UAE to target smartphones of people close to murdered journalist Jamal Khashoggi for months after his death. A Turkish prosecutor investigating the death was also apparently considered a target for surveillance.

In a statement to The Verge, NSO denied the report's claims, insisting it was "full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources." The company firmly denies the report's claims and is apparently considering a defamation lawsuit as "these allegations are so outrageous and far from reality."

In October 2019, Facebook sued NSO Group over allegations the hacking tool producer used a vulnerability in WhatsApp to send malware to around 1,400 journalists. In April 2020, NSO Group claimed Facebook had previously approached the company in 2017 to potentially buy access to the software, specifically to gather data on Apple devices.

Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.

If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.



12 Comments

caladanian 380 comments · 10 Years

I would like to know which versions of iOS / iPhones were affected. Critical: Pegasus could apparently be installed via zero-days, via iMessage-data, via imsi-catchers - and all also without any user interaction. 

Once on a phone it could even suppress installation of bug-fixes via OS-Updates (not sure if iOS or Android was suppressed), as I read. 

These are critical news. I think Apple is still quite secure, but when they found relics of Pegasus on 37 of 44 iPhones from suspected persons on these lists that’s diminishing my confidence in Apple. And a strong argument against any back doors once again. 

ArchStanton 200 comments · 3 Years

Standard journalism nonsense here. Regarding the surveillance mentioned, most is normal operation procedure on Android. Google (and Facebook) collect and monetize most of the data mentioned. Why would "Pegasus" even be needed? Other than trolls and anti apple hysterical, it is plain fact that location data, contacts list, messaging metadata among others is factually monetized. A third party app of any variety can also record this data without even breaking ToS or being malware based. 
Stupid Apple for not taking this chance to hit that point over and over hard! Instead going with a wimpy "experts say we are safer". That's like a bad TV commercial statement.

The article is short on details except mentioning "through apps" and mentioning the vulnerability found in iMessage. Apple patched that vulnerability. So what other Apps were involved? I'll wager it isn't iOS but again if it is an app doing data tracking outside of the app usage, Apple should know this and pull it. Not naming Apps? That probably means there is a big name behind an app. 

citpeks 253 comments · 10 Years

Standard journalism nonsense here. Regarding the surveillance mentioned, most is normal operation procedure on Android. Google (and Facebook) collect and monetize most of the data mentioned. Why would "Pegasus" even be needed? Other than trolls and anti apple hysterical, it is plain fact that location data, contacts list, messaging metadata among others is factually monetized. A third party app of any variety can also record this data without even breaking ToS or being malware based. 
Stupid Apple for not taking this chance to hit that point over and over hard! Instead going with a wimpy "experts say we are safer". That's like a bad TV commercial statement.

The article is short on details except mentioning "through apps" and mentioning the vulnerability found in iMessage. Apple patched that vulnerability. So what other Apps were involved? I'll wager it isn't iOS but again if it is an app doing data tracking outside of the app usage, Apple should know this and pull it. Not naming Apps? That probably means there is a big name behind an app. 

175 words to say "I haven't read the article, or have no critical thinking skills."

ArchStanton 200 comments · 3 Years

citpeks said:
Standard journalism nonsense here. Regarding the surveillance mentioned, most is normal operation procedure on Android. Google (and Facebook) collect and monetize most of the data mentioned. Why would "Pegasus" even be needed? Other than trolls and anti apple hysterical, it is plain fact that location data, contacts list, messaging metadata among others is factually monetized. A third party app of any variety can also record this data without even breaking ToS or being malware based. 
Stupid Apple for not taking this chance to hit that point over and over hard! Instead going with a wimpy "experts say we are safer". That's like a bad TV commercial statement.

The article is short on details except mentioning "through apps" and mentioning the vulnerability found in iMessage. Apple patched that vulnerability. So what other Apps were involved? I'll wager it isn't iOS but again if it is an app doing data tracking outside of the app usage, Apple should know this and pull it. Not naming Apps? That probably means there is a big name behind an app. 

175 words to say "I haven't read the article, or have no critical thinking skills."

Wow, you’re right (a quick scan of the previous reveals that is something you’re undoubtedly unaccustomed to), I only scanned the Ai article. I’d already read the story at the guardian. While AI was comparatively succinct — though still informative — it was an abbreviation of the original. The guardian has significantly more information, maps, excellent links to the Pegasus Project. But that article isn’t for you, it doesn’t have basic three word explanation pop ups, coloring book print outs, or TikTok twerking videos. 

tmay 6456 comments · 11 Years

Standard journalism nonsense here. Regarding the surveillance mentioned, most is normal operation procedure on Android. Google (and Facebook) collect and monetize most of the data mentioned. Why would "Pegasus" even be needed? Other than trolls and anti apple hysterical, it is plain fact that location data, contacts list, messaging metadata among others is factually monetized. A third party app of any variety can also record this data without even breaking ToS or being malware based. 
Stupid Apple for not taking this chance to hit that point over and over hard! Instead going with a wimpy "experts say we are safer". That's like a bad TV commercial statement.

The article is short on details except mentioning "through apps" and mentioning the vulnerability found in iMessage. Apple patched that vulnerability. So what other Apps were involved? I'll wager it isn't iOS but again if it is an app doing data tracking outside of the app usage, Apple should know this and pull it. Not naming Apps? That probably means there is a big name behind an app. 

You seem to have a different take about NSO Pegasus than myself and others.

My take is that a number of Governments, many authoritarian, are violating the terms of NSO's contracts, and these violations are with respect to spying on world leaders, activists, and journalists.

https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

"NSO Group claims that its Pegasus spyware is only used to “investigate terrorism and crime” and “leaves no traces whatsoever”. This Forensic Methodology Report shows that neither of these statements are true. This report accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security Lab.[1]

Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware."


There's a better explained link of posts by John Scott-Railton, University of Toronto, CitizenLab

https://twitter.com/jsrailton/status/1416792857084583939